IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] freeswan says SA established, but softpk keeps retransmitting ISAKMP OAK MM *

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Mon Mar 18 2002 - 23:20:04 CET

Don't reduce your RSA keys to 512 bits. 1024 bits are a minimum.
There are much better ways to arrive at a lean X.509 certificate.
I append a stripped down version of openssl.cnf, which should
give you certs well below 1k.

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Doug Wilson
> Sent: Montag, 18. März 2002 18:32
> To: Andreas Steffen
> Cc: freeswan users list
> Subject: Re: [Users] freeswan says SA established, but softpk keeps
> retransmitting ISAKMP OAK MM *
>
>
> Thanks again, Andreas.
>
> You're right, it was SoftPK dropping the IP fragment. I reduced the
> keys on both sides to 512 bytes and the distinguished names to only C=,
> O=, and CN= and now it works. My only concern now is, are 512 byte keys
> sufficiently safe from brute force attacks these days or not?
>
> What's the general consesus on how large keys need to be?
>


_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:45 CEST